.33 patches

6 files changed, 350 insertions, 0 deletions

diff --git a/queue-2.6.33/av7110-check-for-negative-array-offset.patch b/queue-2.6.33/av7110-check-for-negative-array-offset.patch
new file mode 100644
index 0000000..9868820
--- /dev/null
+++ b/queue-2.6.33/av7110-check-for-negative-array-offset.patch
@@ -0,0 +1,31 @@
+From cb26a24ee9706473f31d34cc259f4dcf45cd0644 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Fri, 7 Jan 2011 16:41:54 -0300
+Subject: [media] [v3,media] av7110: check for negative array offset
+
+From: Dan Carpenter <error27@gmail.com>
+
+commit cb26a24ee9706473f31d34cc259f4dcf45cd0644 upstream.
+
+info->num comes from the user.  It's type int.  If the user passes
+in a negative value that would cause memory corruption.
+
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/dvb/ttpci/av7110_ca.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/dvb/ttpci/av7110_ca.c
++++ b/drivers/media/dvb/ttpci/av7110_ca.c
+@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct inode *in
+ 	{
+ 		ca_slot_info_t *info=(ca_slot_info_t *)parg;
+ 
+-		if (info->num > 1)
++		if (info->num < 0 || info->num > 1)
+ 			return -EINVAL;
+ 		av7110->ci_slot[info->num].num = info->num;
+ 		av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
diff --git a/queue-2.6.33/cred-fix-get_task_cred-and-task_state-to-not-resurrect-dead-credentials.patch b/queue-2.6.33/cred-fix-get_task_cred-and-task_state-to-not-resurrect-dead-credentials.patch
new file mode 100644
index 0000000..9cb01e5
--- /dev/null
+++ b/queue-2.6.33/cred-fix-get_task_cred-and-task_state-to-not-resurrect-dead-credentials.patch
@@ -0,0 +1,177 @@
+From de09a9771a5346029f4d11e4ac886be7f9bfdd75 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 29 Jul 2010 12:45:49 +0100
+Subject: CRED: Fix get_task_cred() and task_state() to not resurrect dead credentials
+
+From: David Howells <dhowells@redhat.com>
+
+commit de09a9771a5346029f4d11e4ac886be7f9bfdd75 upstream.
+
+It's possible for get_task_cred() as it currently stands to 'corrupt' a set of
+credentials by incrementing their usage count after their replacement by the
+task being accessed.
+
+What happens is that get_task_cred() can race with commit_creds():
+
+	TASK_1			TASK_2			RCU_CLEANER
+	-->get_task_cred(TASK_2)
+	rcu_read_lock()
+	__cred = __task_cred(TASK_2)
+				-->commit_creds()
+				old_cred = TASK_2->real_cred
+				TASK_2->real_cred = ...
+				put_cred(old_cred)
+				  call_rcu(old_cred)
+		[__cred->usage == 0]
+	get_cred(__cred)
+		[__cred->usage == 1]
+	rcu_read_unlock()
+							-->put_cred_rcu()
+							[__cred->usage == 1]
+							panic()
+
+However, since a tasks credentials are generally not changed very often, we can
+reasonably make use of a loop involving reading the creds pointer and using
+atomic_inc_not_zero() to attempt to increment it if it hasn't already hit zero.
+
+If successful, we can safely return the credentials in the knowledge that, even
+if the task we're accessing has released them, they haven't gone to the RCU
+cleanup code.
+
+We then change task_state() in procfs to use get_task_cred() rather than
+calling get_cred() on the result of __task_cred(), as that suffers from the
+same problem.
+
+Without this change, a BUG_ON in __put_cred() or in put_cred_rcu() can be
+tripped when it is noticed that the usage count is not zero as it ought to be,
+for example:
+
+kernel BUG at kernel/cred.c:168!
+invalid opcode: 0000 [#1] SMP
+last sysfs file: /sys/kernel/mm/ksm/run
+CPU 0
+Pid: 2436, comm: master Not tainted 2.6.33.3-85.fc13.x86_64 #1 0HR330/OptiPlex
+745
+RIP: 0010:[<ffffffff81069881>]  [<ffffffff81069881>] __put_cred+0xc/0x45
+RSP: 0018:ffff88019e7e9eb8  EFLAGS: 00010202
+RAX: 0000000000000001 RBX: ffff880161514480 RCX: 00000000ffffffff
+RDX: 00000000ffffffff RSI: ffff880140c690c0 RDI: ffff880140c690c0
+RBP: ffff88019e7e9eb8 R08: 00000000000000d0 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000040 R12: ffff880140c690c0
+R13: ffff88019e77aea0 R14: 00007fff336b0a5c R15: 0000000000000001
+FS:  00007f12f50d97c0(0000) GS:ffff880007400000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f8f461bc000 CR3: 00000001b26ce000 CR4: 00000000000006f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process master (pid: 2436, threadinfo ffff88019e7e8000, task ffff88019e77aea0)
+Stack:
+ ffff88019e7e9ec8 ffffffff810698cd ffff88019e7e9ef8 ffffffff81069b45
+<0> ffff880161514180 ffff880161514480 ffff880161514180 0000000000000000
+<0> ffff88019e7e9f28 ffffffff8106aace 0000000000000001 0000000000000246
+Call Trace:
+ [<ffffffff810698cd>] put_cred+0x13/0x15
+ [<ffffffff81069b45>] commit_creds+0x16b/0x175
+ [<ffffffff8106aace>] set_current_groups+0x47/0x4e
+ [<ffffffff8106ac89>] sys_setgroups+0xf6/0x105
+ [<ffffffff81009b02>] system_call_fastpath+0x16/0x1b
+Code: 48 8d 71 ff e8 7e 4e 15 00 85 c0 78 0b 8b 75 ec 48 89 df e8 ef 4a 15 00
+48 83 c4 18 5b c9 c3 55 8b 07 8b 07 48 89 e5 85 c0 74 04 <0f> 0b eb fe 65 48 8b
+04 25 00 cc 00 00 48 3b b8 58 04 00 00 75
+RIP  [<ffffffff81069881>] __put_cred+0xc/0x45
+ RSP <ffff88019e7e9eb8>
+---[ end trace df391256a100ebdd ]---
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Jiri Olsa <jolsa@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/proc/array.c      |    2 +-
+ include/linux/cred.h |   21 +--------------------
+ kernel/cred.c        |   25 +++++++++++++++++++++++++
+ 3 files changed, 27 insertions(+), 21 deletions(-)
+
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -177,7 +177,7 @@ static inline void task_state(struct seq
+ 		if (tracer)
+ 			tpid = task_pid_nr_ns(tracer, ns);
+ 	}
+-	cred = get_cred((struct cred *) __task_cred(p));
++	cred = get_task_cred(p);
+ 	seq_printf(m,
+ 		"State:\t%s\n"
+ 		"Tgid:\t%d\n"
+--- a/include/linux/cred.h
++++ b/include/linux/cred.h
+@@ -153,6 +153,7 @@ struct cred {
+ extern void __put_cred(struct cred *);
+ extern void exit_creds(struct task_struct *);
+ extern int copy_creds(struct task_struct *, unsigned long);
++extern const struct cred *get_task_cred(struct task_struct *);
+ extern struct cred *cred_alloc_blank(void);
+ extern struct cred *prepare_creds(void);
+ extern struct cred *prepare_exec_creds(void);
+@@ -283,26 +284,6 @@ static inline void put_cred(const struct
+ 	((const struct cred *)(rcu_dereference((task)->real_cred)))
+ 
+ /**
+- * get_task_cred - Get another task's objective credentials
+- * @task: The task to query
+- *
+- * Get the objective credentials of a task, pinning them so that they can't go
+- * away.  Accessing a task's credentials directly is not permitted.
+- *
+- * The caller must make sure task doesn't go away, either by holding a ref on
+- * task or by holding tasklist_lock to prevent it from being unlinked.
+- */
+-#define get_task_cred(task)				\
+-({							\
+-	struct cred *__cred;				\
+-	rcu_read_lock();				\
+-	__cred = (struct cred *) __task_cred((task));	\
+-	get_cred(__cred);				\
+-	rcu_read_unlock();				\
+-	__cred;						\
+-})
+-
+-/**
+  * get_current_cred - Get the current task's subjective credentials
+  *
+  * Get the subjective credentials of the current task, pinning them so that
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -209,6 +209,31 @@ void exit_creds(struct task_struct *tsk)
+ 	}
+ }
+ 
++/**
++ * get_task_cred - Get another task's objective credentials
++ * @task: The task to query
++ *
++ * Get the objective credentials of a task, pinning them so that they can't go
++ * away.  Accessing a task's credentials directly is not permitted.
++ *
++ * The caller must also make sure task doesn't get deleted, either by holding a
++ * ref on task or by holding tasklist_lock to prevent it from being unlinked.
++ */
++const struct cred *get_task_cred(struct task_struct *task)
++{
++	const struct cred *cred;
++
++	rcu_read_lock();
++
++	do {
++		cred = __task_cred((task));
++		BUG_ON(!cred);
++	} while (!atomic_inc_not_zero(&((struct cred *)cred)->usage));
++
++	rcu_read_unlock();
++	return cred;
++}
++
+ /*
+  * Allocate blank credentials, such that the credentials can be filled in at a
+  * later date without risk of ENOMEM.
diff --git a/queue-2.6.33/cred-fix-kernel-panic-upon-security_file_alloc-failure.patch b/queue-2.6.33/cred-fix-kernel-panic-upon-security_file_alloc-failure.patch
new file mode 100644
index 0000000..496d391
--- /dev/null
+++ b/queue-2.6.33/cred-fix-kernel-panic-upon-security_file_alloc-failure.patch
@@ -0,0 +1,41 @@
+From 78d2978874e4e10e97dfd4fd79db45bdc0748550 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Date: Fri, 4 Feb 2011 18:13:24 +0000
+Subject: CRED: Fix kernel panic upon security_file_alloc() failure.
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+commit 78d2978874e4e10e97dfd4fd79db45bdc0748550 upstream.
+
+In get_empty_filp() since 2.6.29, file_free(f) is called with f->f_cred == NULL
+when security_file_alloc() returned an error.  As a result, kernel will panic()
+due to put_cred(NULL) call within RCU callback.
+
+Fix this bug by assigning f->f_cred before calling security_file_alloc().
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/file_table.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/file_table.c
++++ b/fs/file_table.c
+@@ -123,13 +123,13 @@ struct file *get_empty_filp(void)
+ 		goto fail;
+ 
+ 	percpu_counter_inc(&nr_files);
++	f->f_cred = get_cred(cred);
+ 	if (security_file_alloc(f))
+ 		goto fail_sec;
+ 
+ 	INIT_LIST_HEAD(&f->f_u.fu_list);
+ 	atomic_long_set(&f->f_count, 1);
+ 	rwlock_init(&f->f_owner.lock);
+-	f->f_cred = get_cred(cred);
+ 	spin_lock_init(&f->f_lock);
+ 	eventpoll_init_file(f);
+ 	/* f->f_version: 0 */
diff --git a/queue-2.6.33/series b/queue-2.6.33/series
index e3cbd80..12b09d2 100644
--- a/queue-2.6.33/series
+++ b/queue-2.6.33/series
@@ -339,3 +339,8 @@ mptfusion-fix-incorrect-return-value-in-mptscsih_dev_reset.patch
 sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
 ocfs2_connection_find-returns-pointer-to-bad-structure.patch
 fix-pktcdvd-ioctl-dev_minor-range-check.patch
+x25-decrement-netdev-reference-counts-on-unload.patch
+x86-pvclock-zero-last_value-on-resume.patch
+av7110-check-for-negative-array-offset.patch
+cred-fix-get_task_cred-and-task_state-to-not-resurrect-dead-credentials.patch
+cred-fix-kernel-panic-upon-security_file_alloc-failure.patch
diff --git a/queue-2.6.33/x25-decrement-netdev-reference-counts-on-unload.patch b/queue-2.6.33/x25-decrement-netdev-reference-counts-on-unload.patch
new file mode 100644
index 0000000..1aef67b
--- /dev/null
+++ b/queue-2.6.33/x25-decrement-netdev-reference-counts-on-unload.patch
@@ -0,0 +1,36 @@
+From 171995e5d82dcc92bea37a7d2a2ecc21068a0f19 Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
+Date: Tue, 7 Dec 2010 09:43:30 +0000
+Subject: x25: decrement netdev reference counts on unload
+
+From: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
+
+commit 171995e5d82dcc92bea37a7d2a2ecc21068a0f19 upstream.
+
+x25 does not decrement the network device reference counts on module unload.
+Thus unregistering any pre-existing interface after unloading the x25 module
+hangs and results in
+
+ unregister_netdevice: waiting for tap0 to become free. Usage count = 1
+
+This patch decrements the reference counts of all interfaces in x25_link_free,
+the way it is already done in x25_link_device_down for NETDEV_DOWN events.
+
+Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/x25/x25_link.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/x25/x25_link.c
++++ b/net/x25/x25_link.c
+@@ -393,6 +393,7 @@ void __exit x25_link_free(void)
+ 	list_for_each_safe(entry, tmp, &x25_neigh_list) {
+ 		nb = list_entry(entry, struct x25_neigh, node);
+ 		__x25_remove_neigh(nb);
++		dev_put(nb->dev);
+ 	}
+ 	write_unlock_bh(&x25_neigh_list_lock);
+ }
diff --git a/queue-2.6.33/x86-pvclock-zero-last_value-on-resume.patch b/queue-2.6.33/x86-pvclock-zero-last_value-on-resume.patch
new file mode 100644
index 0000000..9aa832e
--- /dev/null
+++ b/queue-2.6.33/x86-pvclock-zero-last_value-on-resume.patch
@@ -0,0 +1,60 @@
+From e7a3481c0246c8e45e79c629efd63b168e91fcda Mon Sep 17 00:00:00 2001
+From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+Date: Mon, 25 Oct 2010 16:53:46 -0700
+Subject: x86/pvclock: Zero last_value on resume
+
+From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+
+commit e7a3481c0246c8e45e79c629efd63b168e91fcda upstream.
+
+If the guest domain has been suspend/resumed or migrated, then the
+system clock backing the pvclock clocksource may revert to a smaller
+value (ie, can be non-monotonic across the migration/save-restore).
+
+Make sure we zero last_value in that case so that the domain
+continues to see clock updates.
+
+Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/pvclock.h |    1 +
+ arch/x86/kernel/pvclock.c      |    5 +++++
+ arch/x86/xen/time.c            |    2 ++
+ 3 files changed, 8 insertions(+)
+
+--- a/arch/x86/include/asm/pvclock.h
++++ b/arch/x86/include/asm/pvclock.h
+@@ -10,5 +10,6 @@ unsigned long pvclock_tsc_khz(struct pvc
+ void pvclock_read_wallclock(struct pvclock_wall_clock *wall,
+ 			    struct pvclock_vcpu_time_info *vcpu,
+ 			    struct timespec *ts);
++void pvclock_resume(void);
+ 
+ #endif /* _ASM_X86_PVCLOCK_H */
+--- a/arch/x86/kernel/pvclock.c
++++ b/arch/x86/kernel/pvclock.c
+@@ -111,6 +111,11 @@ unsigned long pvclock_tsc_khz(struct pvc
+ 
+ static atomic64_t last_value = ATOMIC64_INIT(0);
+ 
++void pvclock_resume(void)
++{
++	atomic64_set(&last_value, 0);
++}
++
+ cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
+ {
+ 	struct pvclock_shadow_time shadow;
+--- a/arch/x86/xen/time.c
++++ b/arch/x86/xen/time.c
+@@ -463,6 +463,8 @@ void xen_timer_resume(void)
+ {
+ 	int cpu;
+ 
++	pvclock_resume();
++
+ 	if (xen_clockevent != &xen_vcpuop_clockevent)
+ 		return;
+